It always comes down to data. In order to function properly in their jobs, employees need access to data. Along with access to the data, they need a comprehensive method of utilizing the data. In the office, employees have secure access to the data they are permitted and the means to utilize the data. However, the company office is not the only place users require access to data.
We now have users that work from home, mobile, and remote offices. We have many types of portable devices, Wi-Fi access, and the Internet at our disposal that we can be just about anywhere and be need access to company data. So, if employees are not in the office, how do we make it possible for them to securely access data and provide the means to utilize it?
There are many solutions we could implement to offer our users secure remote access to data. Each one has its pros and cons involving ease of use, security, performance, and comprehensiveness. All the methods have the ability to be secure (some more secure than others). All solutions have the ability to require users authenticate/logon. In fact, depending on how each access solution is implemented, they all have the ability to make use of two-factor authentication. All methods have a varying level of complexity to implement. Here are some of the most common solutions:
- Public Facing Websites – a website that is accessible to the Internet to provide users access to data in the company’s private data center. Security can be provided by SSL encryption and user authentication (logon). The webpage provides the GUI for users to comprehensively utilize data. The application being used can determine how viable a website solution is. Many third-party applications already provide web based access. For instance, almost every third-party e-mail solution of today has the ability to provide access through a webpage. In-house developed applications may or may not have been created with web access and may not be viable for straight access through the Internet. The biggest con to a web-based solution is security. You are providing a public doorway to your data with a webpage. If you do everything correct in securing the page you should be fine, but there is always risk.
- Cloud Services – in essence, another form of web based access to data with differences. For instance, one difference may be where the data resides. Cloud based solutions do not always keep the data in the companies private data center. The data could reside at the data center of the cloud solutions provider instead. Required hardware and security are then provided by the cloud provider. Enterprise organizations may have the means to offer their own cloud based solutions, but most small to medium companies will need to lease a cloud-based solution. Cloud services is a subject in itself.
- VPN – a Virtual Private Network solution offers a user remote connections directly to the company network and behave as if the user is on the local network. Using features like split-tunneling, communications meant for the company network can be segregated from other communications the user may be utilizing (i.e. Internet browsing). The most common form of VPN today is an SSL VPN. As the name implies, it utilizes SSL encryption for security. Almost all VPNs in use today utilize Internet access. However (believe it or not) some organizations still require the higher security of dial-in access. The problem with a VPN is that though it does a great job of getting you connected to the company network, you still need a method of utilizing the data. Once connected through a VPN, a user can access an internal web site, run an application that is on their device that knows to connect to data through the VPN, or access something on the network that will enable the user. This solution is probably the easiest to implement for an administrator, but it can also be the one with the highest learning curve for the user. Many times, the users will have to take extra steps in order to enable proper data access.
- Remote Desktop Services (RDS) or Citrix XenApp – RDS comes with Windows Server (2008 or 2012). It allows users to access server based desktops or applications. The user is given access to either a full desktop or just specific applications. The desktops or applications are all running on a server back in the data center. The data and the applications are never on the remote user’s device. Only keyboard presses, mouse movement, and changes in video are transmitted between remote device and data center. The data remains safely in the datacenter. In this solution, users are sharing server resources, but do not interact with each other. RDS requires Client Access Licenses for each accessing user. Citrix XenApp installs on top of RDS and enhances RDS abilities (think of it as RDS on steroids). RDS was designed by a combined team of Microsoft and Citrix specialists, so Citrix knows how to enhance RDS. XenApp is faster, more secure, easier to administer, and has more features than RDS. I have been working with Citrix XenApp and its predecessors since the late 90s and love it, so I am a little biased when I say that this is my preferred solution.
- Virtual Desktop Infrastructure (VDI) – refers to Citrix XenDesktop, VDI-in-a-Box, VMWare View, and similar products. In this case, users connect remotely to a virtual machine that is running a desktop OS (Windows XP, 7, or 8). Like RDS and XenApp, the data stays in the datacenter. Only keyboard presses, mouse movements, and screen changes are transmitted. The difference is that the user is accessing a desktop with its own resources instead of sharing resources with other users. Applications installed on the desktop provide users with the comprehensive access to data with a high level of compatibility for applications. This solution is generally more expensive to implement, but it can also be one of the most secure and comprehensive ways to enable users both locally and remotely.
- Remote PC – this refers to services like VNC, LogMeIn, and even Citrix XenDesktop. In this case, the user is taking remote control of a physical PC/workstation in the company office. For instance, a user has a desktop that they work on in the company office. When the go external to the company office, they can connect back to their company office desktop and control it remotely. This provides the user with the same working environment internally and externally. However, this method tends to be a little slower and is affected more by bandwidth and slowness issues. I mention Citrix XenDesktop again because XenDesktop has a feature where it can have an agent on a physical desktop and provide that desktop to a user instead of a virtual machine. Because it uses Citrix’s ICA protocol and access methods, Citrix’s Remote PC solution tends to provide higher performance than others.
There are many other solutions for accessing data from the outside world, but not enough time to explain each here. I have instead listed the ones I consider the most prevalent. There is one consideration in the securing of data that I did not stress and I am going to do so now. The safest place for your data is in the datacenter. If data is stored on or copied to a remote device, it is harder to keep the data safe. If data is stored only on a remote device and not on the network, loss of that device through hardware failure or theft will most likely be irreplaceable loss of that data. Solutions like RDS, VDI, Citrix, and remote PC keep the data in the datacenter and still allow the users adequate access to it. VPN solutions allow for and sometimes need to have data on a remote device. When deciding on a method of access, keep in mind where you want the data to be stored and how you want it accessed. That should be one of the primary deciding factors.
Questions? As always, please post your questions or comments below.
Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
© 2014 Custom Systems Corporation